Add config to inhibit account registration for SSO provider.
Add config option to inhibit random fallback ID's for SSO registration. Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
@@ -396,6 +396,10 @@ pub(crate) async fn sso_callback_route(
|
||||
|
||||
// Attempt to register a non-existing user.
|
||||
if !services.users.exists(&user_id).await {
|
||||
if !provider.registration {
|
||||
return Err!(Request(Forbidden("Registration from this provider is disabled")));
|
||||
}
|
||||
|
||||
register_user(&services, &provider, &session, &userinfo, &user_id).await?;
|
||||
}
|
||||
|
||||
@@ -697,6 +701,14 @@ async fn try_user_id(
|
||||
debug_warn!(?username, "Username exists.");
|
||||
return None;
|
||||
}
|
||||
} else if unique_id && !provider.unique_id_fallbacks {
|
||||
debug_warn!(
|
||||
?username,
|
||||
provider = ?provider.brand,
|
||||
"Unique ID fallbacks disabled.",
|
||||
);
|
||||
|
||||
return None;
|
||||
}
|
||||
|
||||
Some(user_id)
|
||||
|
||||
@@ -2760,6 +2760,37 @@ pub struct IdentityProvider {
|
||||
#[serde(default)]
|
||||
pub trusted: bool,
|
||||
|
||||
/// Setting this option to false will inhibit unique ID's from being
|
||||
/// generated as a last-resort when determining a UserId from a provider's
|
||||
/// claims. In the case of untrusted providers, when all provided claims
|
||||
/// conflict with existing user accounts, a unique fallback ID needs
|
||||
/// to be generated for registration to not be denied with an error.
|
||||
///
|
||||
/// Set this option to false if you operate a private server or a trusted
|
||||
/// identity provider where random UserId's are undesirable; the result of a
|
||||
/// misconfiguration or other issue where an error is warranted.
|
||||
///
|
||||
/// This option should be set to true for public servers or some users may
|
||||
/// never be able to register.
|
||||
///
|
||||
/// default: true
|
||||
#[serde(default = "true_fn")]
|
||||
pub unique_id_fallbacks: bool,
|
||||
|
||||
/// Controls whether new user registration is possible from this provider.
|
||||
/// When this option is set to false, authorizations from this provider
|
||||
/// only affect existing users and will never result in a new registration
|
||||
/// when the claims fail to match any existing user (in the case of trusted
|
||||
/// providers) or an available username is found (in the case of untrusted
|
||||
/// providers).
|
||||
///
|
||||
/// Setting this option to false is generally not useful unless there is
|
||||
/// an explicit reason to do so.
|
||||
///
|
||||
/// default: true
|
||||
#[serde(default = "true_fn")]
|
||||
pub registration: bool,
|
||||
|
||||
/// Optional extra path components after the issuer_url leading to the
|
||||
/// location of the `.well-known` directory used for discovery. If the path
|
||||
/// starts with a slash it will be treated as absolute, meaning overwriting
|
||||
|
||||
@@ -2360,6 +2360,33 @@
|
||||
#
|
||||
#trusted = false
|
||||
|
||||
# Setting this option to false will inhibit unique ID's from being
|
||||
# generated as a last-resort when determining a UserId from a provider's
|
||||
# claims. In the case of untrusted providers, when all provided claims
|
||||
# conflict with existing user accounts, a unique fallback ID needs
|
||||
# to be generated for registration to not be denied with an error.
|
||||
#
|
||||
# Set this option to false if you operate a private server or a trusted
|
||||
# identity provider where random UserId's are undesirable; the result of a
|
||||
# misconfiguration or other issue where an error is warranted.
|
||||
#
|
||||
# This option should be set to true for public servers or some users may
|
||||
# never be able to register.
|
||||
#
|
||||
#unique_id_fallbacks = true
|
||||
|
||||
# Controls whether new user registration is possible from this provider.
|
||||
# When this option is set to false, authorizations from this provider
|
||||
# only affect existing users and will never result in a new registration
|
||||
# when the claims fail to match any existing user (in the case of trusted
|
||||
# providers) or an available username is found (in the case of untrusted
|
||||
# providers).
|
||||
#
|
||||
# Setting this option to false is generally not useful unless there is
|
||||
# an explicit reason to do so.
|
||||
#
|
||||
#registration = true
|
||||
|
||||
# Optional extra path components after the issuer_url leading to the
|
||||
# location of the `.well-known` directory used for discovery. If the path
|
||||
# starts with a slash it will be treated as absolute, meaning overwriting
|
||||
|
||||
Reference in New Issue
Block a user